Multi-user permission strategy to access sensitive information

ABSTRACT

A system and related methods for providing greater security and control over access to classified files and documents and other forms of sensitive information based upon a multi-user permission strategy centering on organizational structure. Based on the sensitivity or classification of the information being requested by a user, approvers are selected dynamically based on the work environment (e.g., mobility, use of the computing device seeking access, access policy, and the like). The selected sets of approvers are non-repetitive in nature, making it very hard to guess which approvers will be selected for a particular request.

This application claims benefit of and priority to U.S. Provisional Applications Nos. 62/652,411, filed Apr. 4, 2018, and 62/483,716, filed Apr. 10, 2017, by Dipankar Dasgupta, et al., and is entitled to benefit of those filing dates. The complete disclosures, specifications, drawings, and appendices of U.S. Provisional Applications Nos. 62/652,411 and 62/483,716, and U.S. application Ser. Nos. 14/968,676, 62/169,991, and 62/262,626 are incorporated herein by specific reference in their entireties for all purposes.

FIELD OF INVENTION

This invention relates to a system and method for controlling computer-based access to classified or protected files and documents, or other sensitive information.

BACKGROUND OF THE INVENTION

Exfiltration of sensitive data and intellectual property theft have increased to a significant level affecting both government agencies as well as small to large businesses. One of the major sources of data breaches is malicious insiders who have the access rights, knowledge of data values and technical know-how to escalate their privileges in launching such insider attacks. Traditional access control policies (to shared data and computing resources) have been framed according to the trust on legitimate users' access rights (e.g., read, write and execute) based on their jobs and role hierarchy in an organization. However, such access privileges are increasingly being misused by hostile, oblivious, rogue and pseudo-insiders.

Traditionally, all devices and data were under the domain of an organization, and attacks were either from insiders or outsiders, as the network parameters were well-defined. With the advent of cloud computing, increased mobility, and the use of personal devices (bring-your-own-device, or BYOD), a vast amount of data are now distributed across customers, service providers, and other third-party storage, each with varying security capabilities and management policies. Due to these changes, exfiltration of sensitive data and intellectual property theft have increased to a significant level, affecting both government agencies as well as small to large businesses. Most data breaches are results of employee actions due to negligence, ignorance, misplaced intent, or curiosity.

However, malicious insiders who have the access rights, knowledge of data values and technical know-how of escalating their privileges are launching such insider attacks. Insider threats can be more damaging to an organization than outsider/intruder attacks, since there is a significant cost associated with the resolution of such insider attacks. It is estimated that insider attacks take on an average 20% more time than an external cyber-attack. Further, considering companies which experience data breach, insiders were responsible for 43% of data loss, half of these were intentional, and the other accidental. Insider threats cause high risks to all enterprises, regardless of their size, industry or region.

Attempts have been made to address insider threat issues, but with little success. Proposed solutions focus on analysis, detection, and prediction, with virtually no effect on insider attack prevention. The prevention of insider threats is a non-trivial task due to various factors, ranging from the complexities of defining insider threats to in-time detection of such threats. For example, organization typically use a mix of role-based access control and task-based policies, often with role hierarchies and constraints. Users get access based on their different administrative scopes in a role hierarchy in the organization. However, once the access (read, write, execute) is granted, the user typically can copy the requested resource. There exist very limited additional preventive measures over the access to sensitive information by legitimate users of an organization. In particular, the primary focus of prior art approaches is on access control administration based on the responsibilities assigned to specific employees, rather than on shared roles and responsibilities.

Accordingly, what is needed is a system providing greater security and control over access to classified files and documents and other forms of sensitive information.

SUMMARY OF INVENTION

In various exemplary embodiments, the present invention comprises a system and related methods for providing greater security and control over access to classified files and documents and other forms of sensitive information based upon a multi-user permission strategy centering on organizational structure. Based on the sensitivity or classification of the information being requested by a user, approvers are selected dynamically based on the work environment (e.g., mobility, use of the computing device seeking access, access policy, and the like).

The present invention first generates an access control graph for a subject organization, based on the interrelationship among employees and their roles in an organization. It then generates a set of permission grantors, who are allowed to approve the access request of a particular user at a given time. The system does this by finding a set of possible approvers for a user file access request based on potential approvers rank, availability, and other pertaining conditions. In several embodiments, the system incorporates the Key Result Area (KRA) of the employee. The number of separate permissions needed for approval may be based on the classification (secrecy) level. The system then determines in real time or near real time the set of permission approvers for the request. Selection of the set of approvers is non-repetitive, thereby reducing the change of manipulation of the permission approvers.

In several embodiments, the present system assumes that the organizational structure as a graph or network that depends on the inter-relationship of components. Each organization has a specific hierarchical employee structure, with corresponding roles and task assignments. Each employee has a role (or, in some case, multiple roles), and each role encompasses or requires different activities. The workflow in the organization is bi-directional, in order to optimize productivity and reduce wastage of human efforts. Organization files and documents are classified into different categories, and are archived. As discussed above, access to a particular file or document needs a specific number of approvals, based on the level of sensitivity.

The system thus mitigates privilege abuse risks by establishing a protocol of shared-responsibility among a group of users (e.g., employees in an organization). any request for accessing a classified or protected file or document needs approval from a set of approvers, rather than seeking approval from a single approver. The person requesting access does not know the set of approvers selected for a particular access request, and cannot determine their identities. Access and approver logs may be kept with proper retention for audit and risk analysis, such as when an incident is reported, as described below.

The present invention is applicable for various forms of organizations, enterprises, and governmental agencies.

In several embodiments, the present invention comprises a method of accessing classified documents from an active archived system, in response to a user access request for classified data, information, or services. The system develops a multi-approver strategy to provide shared-trustworthiness access to the classified data, information and services. User access logs and approver logs are stored at a separate (which may be geographically separate) location under different control (thereby preventing a rogue “superuser” from accessing or erasing the log files to remove traces of malicious activities). These logs may be analyzed and a risk analysis performed when an unexpected or anomalous incident occurs. With high-bandwidth communication media and user-friendly applications on mobile computing devices, approvers will be able to grant or deny access requests in near real-time, so the delay in receiving access permission is bounded or limited.

Malicious or anomalous behavior provides feedback to the system for intelligently deciding the approvers for an particular user's access request, thereby forming a closed-loop data-breach prevention and detection framework.

The system design thus separates policy from the mechanisms of access control and execution of tasks. Today's organizations rely on either (one) uniform policy for all document access or on separate access policies for documents without other considerations such as human factors, organizational structure and work flow (tasks and activities), and non-technical attacks such as social-engineering or collusion. By separating all these facets and creating enforcement mechanisms, the shared-trust framework of the present invention provides the necessary flexibility for an organization yet gives the organization the control of setting the access policies for classified/sensitive documents while minimizing the effect of factors mentioned. The present system thus addresses issues such as, but not limited to, automatic enforcement of security policy, on-technical threats (e.g., social engineering and collusion). When a user requests access to a particular classified document, the response will be based on the shared trust policy from a set of users from the organization (based on the organization structure and role of the user) who are available at that instance of time to act as approvers notifying them to approve the request.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a view of a system in accordance with an embodiment of the present invention.

FIG. 2 shows symbols used for organizational structure graphing.

FIG. 3 shows a detailed view of a methodology for multi-permission selection in accordance with an embodiment of the present invention.

FIG. 4 shows an example of an organizational roles and activities table.

FIG. 5 shows detailed descriptions of the activities from FIG. 4.

FIG. 6 shows a list of numbers of common employees working on different activities of specific roles for the organization of FIG. 4.

FIG. 7 shows hierarchical relationships among different activities of various roles for the organization of FIG. 4.

FIGS. 8 and 9 show examples of sequential selection of sets of permission approvers for “top secret” and “secret” documents for the organization of FIG. 4.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

In various exemplary embodiments, the present invention comprises a system and related methods for providing greater security and control over access to classified files and documents and other forms of sensitive information based upon a multi-user permission strategy centering on organizational structure. Based on the sensitivity or classification of the information being requested by a user, approvers are selected dynamically based on the work environment (e.g., mobility, use of the computing device seeking access, access policy, and the like).

Current defense-in-depth security practices mainly focus on external attacks and illegal access but with not enough emphasis on the unintentional misuse of access or malicious intent of legitimate users. In particular, mechanisms of user access to sensitive data rely completely on the users' trust. Today's organizations rely on either one policy for accessing all documents or on separate access policies for documents, without considering human factors, organizational structure and work flow (tasks and activity), and non-technical attacks such as social-engineering or collusion. By separating all these facets and creating enforcement mechanisms, it is necessary to provide flexibility to organizations for data access yet give them the control of setting the access policies for documents while minimizing the effect of above-mentioned factors. Although current systems maintain user access logs and activity logs, these can easily be deleted by malicious super or privileged users. The present invention addresses these problems with the prior art by establishing a protocol of shared responsibility among the users for access to sensitive resources on a network and elsewhere.

The present invention uses a trust model which embodies permission-granting strategies in order to prevent insider data breaches through shared responsibilities, in particular, user activities with classified data (i.e., which sensitive data are being accessed, when and by whom) are to be regulated via an approval process, so that a few others are aware of such an access. In several embodiments, shared-trustworthy access to classified data and services is provided via a multi-approver strategy, assuming that documents are already classified with risk quantification of information disclosure, and policies for user access exist. The system then monitors users' behavior by analyzing the legitimacy of their actions from the activity logs and approver logs. Any malicious/anomalous behavior then provides feedback to the multi-approver subsystem for intelligently deciding the approvers for a particular user for further access, forming a close-loop data-breach prevention and detection framework.

Any request for accessing a classified document needs approval from a set of users. However, fulfilling this request requires determining on what basis and how the set of approvers are chosen. As described below, the present invention provides a methodology for choosing a requisite number of approvers considering the organizational structure and classification level of the document and its associated security policy. Such a permission strategy takes into account the employee's role and hierarchy while determining the approvers, and is capable of supporting organizations of any size while handling permissions and resources of varying degrees of sensitivity.

FIG. 1 provides an overview of the multi-approval strategy of the present invention. After receiving a request from a user to access sensitive information, the system determines the number of approvals as well as finds the appropriate approvers and notifies them accordingly. When a user 10 requests access to a particular classified document 30 (Steps 1, 2), the organization's access control 20 checks the user's access rights according to the organization's access right policy. Then based on the shared trust policy (Step 3), it will choose a set of users 40 from the organization (based on the organization structure and the role of the user) who are available at that instance of time to act as approvers (User A and User B, and possibly more), notifying them to approve the request (Step 4). The identity of approvers chosen is disclosed to the requesting user 10 to prevent future security threats and collusion with other users. When all of the selected approvers 50 grant the request (Step 5), the requesting user 10 obtains access to the classified document (Step 6). The access or approver logs are stored 60, and are available for and will be analyzed for any incident detection or prevention of malicious behavior (Step 7), using on-line or off-line analysis techniques and methods.

An “organization” structure is represented as a graph/network dependent on the inter-relationship of the structure. That is, each organization has a specific hierarchical employee structure, roles and task assignments. An “employee” is a person (such as, but not limited to, a worker, contractor, officer, agent, independent subcontractor, or other individual) in or connected to the organization who has a role and performs different tasks/activities based on his/her job description. The “role” is a basis for establishing access control policies or a specific task competency for a user, including, but not limited to, a manager, supervisor, developer, or analyst. Roles define which individuals are allowed to access specific resources for a specific purpose. For example, a system operator's role may require access to all computer resources but not allow changing any access permissions, while a system administrator may change any user's access permissions but not approve any access permissions. The “workflow” in an organization may be uni-directional, bi-directional, or multi-directional in order to optimize productivity and reduce wastage of human efforts. A “document” includes any electronic object, including, but not limited to, files, messages, data, codes, information, or other forms of content. “Classified” refers to a document which is labelled or classified under a different category (such as top secret, secret, classified, proprietary, and so on.) based on the degree of sensitivity. Archived documents may be considered classified when they are stable (i.e., not under development or supposed to be modified) and have read access for use. “Clearance” or “permissions” refers to a user's ability to access classified documents. Approvals are required to access classified documents (CD), and the number of approvers may depend on the classification level of the document.

As an initial step to implementing the present invention, an access control graph for a subject organization is generated, based on the interrelationship among employees and their roles in an organization. This requires capturing information about the organization's specific hierarchical structures, roles, and task assignments. Since organizational capacity can vary over time, variations in number of employees/participants, roles, and the like, are supported. In several embodiments the organizational structure may be modeled or represented in an isomorphic relational graph using the stochastic Kronecker graph (SKG) model.

The problem then can be defined as follows, in the context of the organization (see FIG. 2). Given a collection of classified objects

₊ in an organization, having varying degrees of sensitivity

₊ that require

₊ number of permissions, such that if sensitivity S_(m) is higher than S_(n). then P_(m)>P_(n), employee activities are governed by hierarchical role-based strategy, and follows the Bell LaPadula lattice model for access to an object, O_(j). Let R=

₊ be the set of different roles; A={Ai

₊ be the set of various activities of the i^(th) role; and E={E_(ij)} be the set of different employees working in various activities, A_(i)[j]. For the shared trust model, a unique set of permissions is required, which will also follow the same confidentiality model, and if an employee E_(ij) wants to access an object O_(j) having sensitivity S_(l) that needs P_(l) number of permissions, then the available set of employees {E_(rs)}⊂E can give permissions if i≤r, i.e., permission approvers must be employees of same or higher role than the requester.

Accordingly, a random graph model based on the Kronecker products of stochastic matrices are generated for representing hierarchical role-based access control of an organization. In this model, θ_(N) ₁ _(k) _(×N) ₁ _(k) ^(⊗[k])∈

^(N) ¹ ^(k) ^(×N) ¹ ^(k) is the k^(th) SKG, which can be considered as the graph, isomorphic to an organization's role hierarchy. It can be used as a method for simulating very large time-evolving random graphs. Moreover, using these simulated graphs, instead of real measured ones, it is possible to test algorithms on graphs even larger or denser than presently observed ones. Simulated graphs also allow one to judge which features of a real graph are likely to hold in other similar graphs and which are idiosyncratic to the given data set. SKGs can serve this purpose through model generation that has only a few parameters; however, parameter estimation poses unique challenges for these graphs. The main problem is that for a graph with n nodes (representing employees of an organization), the likelihood has contributions from n! permutations of the nodes. In practice, many thousands or millions of randomly sampled permutations may need to be used to estimate the likelihood. Even then it takes more than O(n²) number of operations to evaluate the likelihood contribution from one of the permutations.

In several embodiments, the present invention creates self-similar SKGs, recursively as different employees can only work for pre-defined roles of the particular organization. We begin with a primary initiator or generator graph θ, with N₁∈

nodes and E₁∈

⁺ edges, and recursively produce larger graphs G₁, G₂ . . . such that the k^(th) graph G_(k) of N₁ ^(k)(∈

+) nodes. The generator graph θ and later the optimum generator {circumflex over (θ)} can be created using the relationships among different roles of an organization. Hence, the k^(th) graph G_(k) can be considered as a relationship graph isomorphic to the structure of the organization. The degree of similarity depends on the perfect estimation of the optimum initiator {circumflex over (θ)}. Moreover, the optimum generator contains different properties of the organization, such as the relationships among its different activities {A_(i)[j]:i,j∈

⁺} of various roles

₊, as the optimum generator has been constructed from the organizational hierarchy, chain-wise propagation of relationships among the employees with different roles, and the like. Additionally, these properties are propagated well through different subgraphs G₁, G₂ . . . to the final graph G_(k), which has been considered as the isomorphic relationship graph of the organization. Consequently, G_(k) contains most of the properties (such as number of nodes and edges, connected components, and the like) that can be found in the original relationship graph G of the respective organization as G has been estimated by the k^(th) SKG G_(k).

FIG. 3 shows a more detailed view of the multi-permission approval process of the present invention. The system first combines the role-based and task-based access control policy of the organization that defines relationships 110 among various employees working in different roles of the organization. It then constructs the primary/initial initiator or generator matrix θ 120, using the above relationships, that implicitly holds the properties of the organization hierarchy. It then finds the best initiator that will generate the relationship graph (among different employees) of the organization with the least amount of error (this comprises dimensional reduction of θ and optimal/best estimation) 130, 140, 150.

After forming the organization relationship graph, the next task is to find all the adjacent elements 160 of every node (i.e., user) of G_(k), as some among them will give the permissions based on the sensitivity and confidentiality of the documents. The role of every node (i.e., user) is analyzed 170.

The number of permissions 180 (p_(i); i=1, 2, . . . n) required to access classified files (c_(j)=1, 2, . . . , m) varies with their sensitivity or classification levels 190. FIG. 3 shows classifications of five levels such as top-secret, secret, confidential, restricted, and unclassified, although classification schemes with different numbers of classification levels can be used for a multi-permission strategy. Classification levels can change over time: for example, a test paper can be considered as a confidential document before the examination; however, it becomes public when the test is over. Hence, to implement this realistic situation, the number of permissions needed to be varied dynamically based on the status of the file and organizational security policy.

In several embodiments, the system eliminates lower-ranked employees (as determined using the organization hierarchy) from the list or pool of possible approvers. After judging the role of the employee requesting a particular file, all lower-ranked employees are eliminated from the sets of adjacent employees. While the number of highly-ranked employees working at an organization can be low, and thus reduces the size of the pool of possible approvers, the permission strategy may not be as applicable to them given their status. However, to broaden the pool of possible approvers for such high-ranked employees, the pool can be expanded to include lower-ranked employees within a certain level (e.g., one level below, two levels below, and so on).

The number of permissions needed for a particular file will be decided based on the confidentiality of the documents. Since the confidentiality of documents may vary with time, a stochastic optimization to evaluate the number of permissions is needed for a file at a particular time instance. It then generates a set of permission grantors 200, who are allowed to approve the access request of a particular user at a given time. The set of permission approvers for a file access request changes at any given time.

Finding a set of possible approvers for a user file access request thus can be based on potential approvers rank, availability, and other pertaining conditions. In several embodiments, the system incorporates the Key Result Area (KRA) of the employee. The number of separate permissions needed for approval may be based on the classification (secrecy) level. The system then determines in real time or near real time the set of permission approvers for the request (i.e., the subset of the set of possible approvers).

Selection of the set of approvers is non-repetitive, thereby reducing the chance of manipulation of the permission approvers. In several embodiments, when selecting the subset of permission grantors of the set of possible approvers, confirmation of the non-repetitive selection of the set of permission approvers is done.

The set of permissions for a file of a particular sensitivity type may vary with time to escalate the quotient of uncertainty for the legitimate/illegitimate user to guess the appropriate set of permission approvers at any time. In several embodiments, the system approaches this as a stochastic optimization problem to select the set of permission approvers for a file access at a specific time instance. Let X_(t) be the set of permission approvers at time t. Let node E_(p); p∈

⁺ send a request for the file F, having a specific type of sensitivity at time t, A_(t)(E_(p)) be the set of adjacent elements (at time t) of E_(p), and |A_(t)(E_(p))| be the cardinality of A_(t)(E_(p)). Let Pw(A_(t)(E_(p))) be the power set of A_(t)(E_(p)), having 2^(|At(Ep)|) number of elements. Here, the number of elements of A_(t)(E_(p)) varies with time, as the number of employees working in the organization may vary with time.

Let

X _(F,t,j) _(t) _(,E) _(p) ={Rel({right arrow over (E _(p) ,E _(l))}),Rel

be the set of j_(t)∈

⁺ distances (at time t) of the permission approver nodes from E_(p) for F, when E_(p) sent a request at time t. For example, let |X_(F,1,j1,E2)| be the number of distances from node E₂∈G_(k) to its adjacent nodes at time t=1, which may change at t=2. The set X_(F,t,jt,Ep) can also be defined as the set of distances of all the elements of A_(t)(E_(p)) from the node E_(p). Next, the approver, Y_(F,t,j,Ep)∈Pw(A_(t)(E_(p))) is defined as

$Y_{F,t,j,E_{p}} = {\frac{1}{\sqrt{2}}{\sum_{E_{l} \in {A_{t}{(E_{p})}}}e^{- {{Rel}{(\overset{\rightarrow}{E_{p},E_{l}})}}}}}$

Then, to reduce the chance of repetition in the set of selected approvers, the following problem is solved:

min P(Y _(F,t,j) _(t) _(,E) _(p) |Y _(F(t-1),j) _((t-1)) _(,E) _(p) ,Y _(F(t-2),j) _((t-2)) _(,E) _(p) ,Y _(F(t-1),j) _((t-3)) _(,E) _(p) , . . . , Y _(F1,j) ₁ _(,E) _(p) )

Employee U∈G has m number of adjacent employees and among them m_(U) ∈

⁺ number of employees are unavailable. Hence, the number of active adjacent employees for U is (m−m_(U)). Now, by way of example, for a top secret file the selected set of permission approvers must contain three employees. If the number of adjacent employees is large, then the active adjacent employees also is likely to be large, and the probability of any employee being selected is low, making the set of three permission grantors very likely to be non-repetitive (i.e., the set will contain at least one different permission approver). This makes is very hard to guess the set of permission approvers based upon prior selections.

By way of example, consider an organizational structure with six levels of administrative role hierarchy, and each role has multiple activities, as seen in FIG. 4. Here, Managing Director (or MD) (R6) has the topmost administrative role. A Managing Director has multiple Managers (R5) under him/her, and each Manager has a number of Principal Analysts (R4), Senior Analysts (R3), Analysts (R2), and Jr. Analysts (R1). The hierarchical structure of the organization along with different activities (shown horizontally in FIG. 4), where R1

R2

R3

R4

R5

R6 is the partial order relationships among various roles of the organization. Consequently, it can be denoted by R1

R2

R3

R4

R5

R6.

FIG. 5 shows the role-activity mapping for the organization. Some of the employees in same role can have some common activities. From the raw data set it can be seen that A3[4] (patch analysis and apply patch) and A3[6] (push OS and DB patch to OS admin) have common employees. For example, the employee who submits a patch request can also analyze the patch and apply it. Hence, the intersection of E34 and E36 is non-empty, i.e., (E34∩E36)≠ϕ. Detailed information regarding the number of common employees can be seen in FIG. 6.

Similarly, A3[4] and A3[7](review application logs) have common employees, i.e., an employee working in patch analysis can also review the application logs. Furthermore, A2[4] and A2[6] also have some common employees, so that employees working for patch copy are also working for system backup. Lastly, common employees also are found in A1[5] (receive DB access request) and A1[7] (receive application access). For this example, the remaining activities do not have any common employees (of course, this may not be the case for other organizations).

Relationships among different activities of different roles are shown in FIG. 7, which demonstrate that the lower level activities have relationships with their different consecutive higher level activities. For example, employees working on A2[1] are the immediate superiors of the employees working on A1[1] as A1[1]

A2[1]. Hence, E11 employees have to report to E21. Similarly, E21 employees have to report to E31 as A2[1]

A3[1]. It can be generalized as A1[1]

A2[1]

A3[1]

A4[1]

A5[1]

A6[1], which can be consider as simple or trivial relationships.

Similarly, A1[2]

A2[2]

A3[2]

A4[2]

A5[2]

A6[2] are the trivial relationships among the 2nd objectives of {R_(i)}_(i=16) for the given dataset. All the “blue lines” 210 presented in FIG. 7 show the existences of trivial relationships. Again, the relationships become complex with the existence of common employees working on different activities.

For example, from the dataset, it can be found that 28 employees are working for both A1[5] and A1[7]. Hence, these employees have to report to both the employees working on the activities A2[5] and A2[7]. Then, the following relationships can be found:

A1[5]

A2[5]

A3[5]

A4[5]

A5[5]

A6[5] (Simple relationships)

A1[5]

A2[7]

A3[7]

A4[7]

A5[7]

A6[7] (Complex relationships)

A1[7]

A2[7]

A3[7]

A4[7]

A5[7]

A6[7] (Simple relationships)

A1[7]

A2[5]

A3[5]

A4[5]

A5[5]

A6[5] (Complex relationships)

Similarly, 21 employees are working for both the activities A2[4] and A2[6]. Consequently, the following simple and complex relationships can be found:

A1[4]

A2[4]

A3[4]

A4[4]

A5[4]

A6[4] (Simple relationships)

A1[4]

A2[4]

A3[6]

A4[6]

A5[6]

A6[6] (Complex relationships)

A1[6]

A2[6]

A3[6]

A4[6]

A5[6]

A6[6] (Simple relationships)

A1[6]

A2[4]

A3[4]

A4[4]

A5[4]

A6[4] (Complex relationships)

All the “red lines” 220 presented in FIG. 7 show the complex relationships among different activities of various roles ({R_(i)}⁶ _(i=1) for the present example). Relationships among different activities of different role hierarchy can be considered as the primary initiator (θ_(42×42)) for this example, which is still very big. Hence, in some embodiments, it may be necessary to reduce its dimension to decrease complexity of graph generation as described in the appendices to the provisional applications as noted above, and incorporated herein by specific reference.

Assume that E22[1] has requested a file that needs three permissions for access. From the final reduced-dimension graph G it could be found that the number of adjacent elements (users) of E22[1] is 153 as follows: Adj(E22[1])={E12[1],E32[7],E42[19],E12[11],E32[1],E42[11],E32[7],E22[1],E42[8], . . . }.

Then, the number of sets of permission approvers for the top secret files requested by E22[1] is

$\begin{pmatrix} 153 \\ 3 \end{pmatrix} = {1\text{,}170\text{,}552.}$

All the sets are equally likely with probability 1/1,170,552, which is very low. Hence, the selected sets of permission approvers are non-repetitive in nature. The selected sets also change with time (see example in FIG. 8).

Similarly, in case of the secret files, which require two permissions for access the maximum number of the sets of permission approvers is

$\begin{pmatrix} 153 \\ 2 \end{pmatrix} = {11\text{,}628.}$

All the sets are equally likely with probability 1/11,628, which is still very low (see FIG. 9). Hence, the selected sets of permission approvers are non-repetitive in nature, making them very hard to guess.

The system thus mitigates privilege abuse risks by establishing a protocol of shared-responsibility among a group of users (e.g., employees in an organization). any request for accessing a classified or protected file or document needs approval from a set of approvers, rather than seeking approval from a single approver. The person requesting access does not know the set of approvers selected for a particular access request, and cannot determine their identities. Access and approver logs may be kept with proper retention for audit and risk analysis, such as when an incident is reported, as described below.

The present invention is applicable for various forms of organizations, enterprises, and governmental agencies. In several embodiments, the present invention comprises a method of accessing classified documents from an active archived system, in response to a user access request for classified data, information, or services. The system develops a multi-approver strategy to provide shared-trustworthiness access to the classified data, information and services. User access logs and approver logs are stored at a separate (which may be geographically separate) location under different control (thereby preventing a rogue “superuser” from accessing or erasing the log files to remove traces of malicious activities). These logs may be analyzed and a risk analysis performed when an unexpected or anomalous incident occurs. With high-bandwidth communication media and user-friendly applications on mobile computing devices, approvers will be able to grant or deny access requests in near real-time, so the delay in receiving access permission is bounded or limited.

Malicious or anomalous behavior provides feedback to the system for intelligently deciding the approvers for an particular user's access request, thereby forming a closed-loop data-breach prevention and detection framework.

The system design thus separates policy from the mechanisms of access control and execution of tasks. Today's organizations rely on either (one) uniform policy for all document access or on separate access policies for documents without other considerations such as human factors, organizational structure and work flow (tasks and activities), and non-technical attacks such as social-engineering or collusion. By separating all these facets and creating enforcement mechanisms, the shared-trust framework of the present invention provides the necessary flexibility for an organization yet gives the organization the control of setting the access policies for classified/sensitive documents while minimizing the effect of factors mentioned. The present system thus addresses issues such as, but not limited to, automatic enforcement of security policy, on-technical threats (e.g., social engineering and collusion). When a user requests access to a particular classified document, the response will be based on the shared trust policy from a set of users from the organization (based on the organization structure and role of the user) who are available at that instance of time to act as approvers notifying them to approve the request.

Accordingly, the invention also comprises a shared trust methodology for accessing classified documents (CD) from a computer/cyber system, comprising:

a) a mathematical formulation for mapping an organizational structure to a graph or network;

b) a multi-approver strategy for shared-trustworthy access (i.e. a user access request) to classified documents and services through an audit trail process;

c) high-bandwidth ubiquitous mobile devices, communication media and user-friendly apps technology (it is expected that an approver will be able to grant or deny access requests in near real-time so that there will be bounded delay in providing the access permission);

d) user access log and approver log are stored at a (geographically) separate location under different administrative control; and

e) risk analysis (including analysis of accessor and approver logs) performed when an unexpected or anomalous incident occurs such as CD access attempts without approval, same user as requester and approver, discrepancy in access and approver logs, and the like.

The method further guarantees that the multi-approver subsystem forms a close-loop data-breach prevention and detection framework by intelligently deciding the approvers for a particular user's access request. The framework embodies the secure system design principles of separating the policy from the mechanisms of access control and execution of tasks.

Today's organizations rely on either (one) uniform policy for all type of document access or separate (fixed) access policies for privileged and guest users' access to sensitive documents without other considerations such as human factors, organizational structure and work flow (tasks and activities), and non-technical attacks such as social-engineering, insider threats, adversary attacks, and so on. By separating all these facets and creating enforcement mechanisms, our innovative shared-trust framework provides the necessary flexibility for an organization yet gives the organization the control of setting the access policies for classified/sensitive documents while minimizing the effect of above-mentioned factors. the shared-trust framework is designed and developed to automatic enforcement of a special security policy for classified document access. When a user requests such an access, the approver component gets activated, selects a set of users from the organization (based on the organization structure and role of the user) who are eligible and available to give permission to this access request. The approver component is to prevent data abuse by privileged users and also help in auditing sensitive record-storing systems. The set of approvers chosen remains unknown to the requesting user to prevent future compromise and security threats. That is, the file requesting user does not know who are the exact approver(s) and hence cannot collude with them. Only when the approver approves the access request, the user obtains access right to the classified document. the components will record the corresponding information in the access or approver logs. Such logs can help to handle non-repudiation, be analyzed for any unauthorized access or prevention of malicious (insider) behavior. Selecting a set of possible approvers for a user file access request depends on their rank, availability, and other pertaining conditions, but may be flexible based on the type and size of the organization.

The user “access log” provides a history of users' access for offline (after-the-fact) analysis to detect unauthorized access but highly skilled rogue super-users can erase such log files in order to remove the trace of their malicious activities, making off-line analysis ineffective. So storing these (user access log and approver log) at (geographically) separate locations under different administrative control will prevent such malicious insider threats and data breaches. The strong mathematical modeling guarantees the selection of appropriate approvers in a near real-time fashion for a large-size organization (with hierarchical structure).

Further, the above methodologies can be used in conjunction with the adaptive selection of multiple modalities for authentication in different operating environments, which incorporates a novel approach of calculating trustworthy values of different authentication factors under various environmental settings, as set forth in U.S. patent application Ser. No. 14/968,676 (filed Dec. 14, 2015), No. 62/169,991 (filed Jun. 2, 2015), and No. 62/262,626 (filed Dec. 3, 2015), by Dasgupta, et al., which are incorporated herein by specific reference in their entireties for all purposes.

These embodiments, as well as other exemplary embodiments, as well as the tools and programs referenced above, are described in detail in the below-described materials which are attached as appendices to the provisional applications described above, and incorporated herein in their entirety (including all text and figures therein) by specific reference:

“Multi-User Permission Strategy to Access Sensitive Information” (29 pages)

“A Shared Trust Model for Accessing Classified Data” (31 pages)

“Adaptive Multi-Factor Authentication System and Method” (62 pages)

In order to provide a context for the various computer-implemented aspects of the invention, the following discussion provides a brief, general description of a suitable computing environment in which the various aspects of the present invention may be implemented. A computing system environment is one example of a suitable computing environment, but is not intended to suggest any limitation as to the scope of use or functionality of the invention. A computing environment may contain any one or combination of components discussed below, and may contain additional components, or some of the illustrated components may be absent. Various embodiments of the invention are operational with numerous general purpose or special purpose computing systems, environments or configurations. Examples of computing systems, environments, or configurations that may be suitable for use with various embodiments of the invention include, but are not limited to, personal computers, laptop computers, computer servers, computer notebooks, hand-held devices, microprocessor-based systems, multiprocessor systems, TV set-top boxes and devices, programmable consumer electronics, cell phones, personal digital assistants (PDAs), tablets, smart phones, touch screen devices, smart TV, internet enabled appliances, internet enabled security systems, internet enabled gaming systems, internet enabled watches; internet enabled cars (or transportation), network PCs, minicomputers, mainframe computers, embedded systems, virtual systems, distributed computing environments, streaming environments, volatile environments, and the like.

Embodiments of the invention may be implemented in the form of computer-executable instructions, such as program code or program modules, being executed by a computer, virtual computer, or computing device. Program code or modules may include programs, objects, components, data elements and structures, routines, subroutines, functions and the like. These are used to perform or implement particular tasks or functions. Embodiments of the invention also may be implemented in distributed computing environments. In such environments, tasks are performed by remote processing devices linked via a communications network or other data transmission medium, and data and program code or modules may be located in both local and remote computer storage media including memory storage devices such as, but not limited to, hard drives, solid state drives (SSD), flash drives, USB drives, optical drives, and internet-based storage (e.g., “cloud” storage).

In one embodiment, a computer system comprises multiple client devices in communication with one or more server devices through or over a network, although in some cases no server device is used. In various embodiments, the network may comprise the Internet, an intranet, Wide Area Network (WAN), or Local Area Network (LAN). It should be noted that many of the methods of the present invention are operable within a single computing device.

A client device may be any type of processor-based platform that is connected to a network and that interacts with one or more application programs. The client devices each comprise a computer-readable medium in the form of volatile and/or nonvolatile memory such as read only memory (ROM) and random access memory (RAM) in communication with a processor. The processor executes computer-executable program instructions stored in memory. Examples of such processors include, but are not limited to, microprocessors, ASICs, and the like.

Client devices may further comprise computer-readable media in communication with the processor, said media storing program code, modules and instructions that, when executed by the processor, cause the processor to execute the program and perform the steps described herein. Computer readable media can be any available media that can be accessed by computer or computing device and includes both volatile and nonvolatile media, and removable and non-removable media. Computer-readable media may further comprise computer storage media and communication media. Computer storage media comprises media for storage of information, such as computer readable instructions, data, data structures, or program code or modules. Examples of computer-readable media include, but are not limited to, any electronic, optical, magnetic, or other storage or transmission device, a floppy disk, hard disk drive, CD-ROM, DVD, magnetic disk, memory chip, ROM, RAM, EEPROM, flash memory or other memory technology, an ASIC, a configured processor, CDROM, DVD or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium from which a computer processor can read instructions or that can store desired information. Communication media comprises media that may transmit or carry instructions to a computer, including, but not limited to, a router, private or public network, wired network, direct wired connection, wireless network, other wireless media (such as acoustic, RF, infrared, or the like) or other transmission device or channel. This may include computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism. Said transmission may be wired, wireless, or both. Combinations of any of the above should also be included within the scope of computer readable media. The instructions may comprise code from any computer-programming language, including, for example, C, C++, C#, Visual Basic, Java, and the like.

Components of a general purpose client or computing device may further include a system bus that connects various system components, including the memory and processor. A system bus may be any of several types of bus structures, including, but not limited to, a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. Such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.

Computing and client devices also may include a basic input/output system (BIOS), which contains the basic routines that help to transfer information between elements within a computer, such as during start-up. BIOS typically is stored in ROM. In contrast, RAM typically contains data or program code or modules that are accessible to or presently being operated on by processor, such as, but not limited to, the operating system, application program, and data.

Client devices also may comprise a variety of other internal or external components, such as a monitor or display, a keyboard, a mouse, a trackball, a pointing device, touch pad, microphone, joystick, satellite dish, scanner, a disk drive, a CD-ROM or DVD drive, or other input or output devices. These and other devices are typically connected to the processor through a user input interface coupled to the system bus, but may be connected by other interface and bus structures, such as a parallel port, serial port, game port or a universal serial bus (USB). A monitor or other type of display device is typically connected to the system bus via a video interface. In addition to the monitor, client devices may also include other peripheral output devices such as speakers and printer, which may be connected through an output peripheral interface.

Client devices may operate on any operating system capable of supporting an application of the type disclosed herein. Client devices also may support a browser or browser-enabled application. Examples of client devices include, but are not limited to, personal computers, laptop computers, personal digital assistants, computer notebooks, hand-held devices, cellular phones, mobile phones, smart phones, pagers, digital tablets, Internet appliances, and other processor-based devices. Users may communicate with each other, and with other systems, networks, and devices, over the network through the respective client devices.

Thus, it should be understood that the embodiments and examples described herein have been chosen and described in order to best illustrate the principles of the invention and its practical applications to thereby enable one of ordinary skill in the art to best utilize the invention in various embodiments and with various modifications as are suited for particular uses contemplated. Even though specific embodiments of this invention have been described, they are not to be taken as exhaustive. There are several variations that will be apparent to those skilled in the art. 

What is claimed is:
 1. A shared-trust method for accessing classified documents on a computer network, comprising the steps of: generating an access control graph for an organization, said access control graph based on the interrelationships among a plurality of employees and their roles in the organization; receiving from a first user an electronically-communicated request to access at least one classified document of the organization stored on a computer network, wherein said at least one classified document has a classification level; generating a set of possible approvers for the access request from the first user, wherein the set of possible approvers is based on the possible approvers' rank with respect to the first user, and the current availability of the possible approvers; determining the number of separate approvals required for access to the at least one classified document, generating a set of permission grantors from the set of possible approvers, wherein the size of the set of permission grantors equals the number of separate approvals required; transmitting requests for permission for the first user's access request to the set of permission grantors; receiving approvals in real time or near real-time from the set of permission grantors; and providing the first user access to the requested at least one classified document.
 2. The method of claim 1, wherein the number of separate approvals required for access is based on the classification level of the at least one classified document.
 3. The method of claim 1, wherein the set of possible approvers is based on the key result area (KRA) of the first user.
 4. The method of claim 1, where communication with the permission grantors is through high-bandwidth mobile devices operated by the permission grantors.
 5. The method of claim 1, further comprising the steps of: maintaining a user access log; and maintaining an approval log.
 6. The method of claim 5, wherein the user access log and approval logs are stored at a geographically remote and separate location from the computer network of the organization.
 7. The method of claim 5, further comprising identifying high-risk events or activities.
 8. The method of claim 7, wherein the high-risk events or activities include unexpected or anomalous incidents, discrepancies in access and approval logs, and instances where the first user also is an approver.
 9. The method of claim 1, wherein generating a set of possible approvers further comprises automatic implementation of an organizational security policy for classified document access.
 10. The method of claim 1, wherein the set of permission grantors for the first user's access request is non-repetitive.
 11. The method of claim 1, wherein the set of permission grantors for the first user's access request is not known to the first user.
 12. An improved system for accessing classified documents on a computer network, comprising: a computer network in an organization, said network comprising at least one computer server with a microprocessor coupled to a memory and a non-transitory computer-readable storage medium, and said organization comprising a plurality of employees, wherein some or all of said plurality of employees possess means for electronically communicating with said computer network; at least one classified document with a classification level, said at least one classified document stored on said non-transitory computer-readable storage medium; wherein the microprocessor is programmed to resolve access requests to said at least one classified document by: generating an access control graph for the organization, said access control graph based on the interrelationships among the plurality of employees and their roles in the organization; receiving from a first user an electronically-communicated request to access said at least one classified document; generating, from said plurality of employees, a set of possible approvers for the access request from the first user, wherein the set of possible approvers is based on the possible approvers' rank with respect to the first user and the current availability of the possible approvers; determining the number of separate approvals required for access to the at least one classified document, generating a set of permission grantors from the set of possible approvers, wherein the size of the set of permission grantors equals the number of separate approvals required; electronically transmitting requests for permission for the first user's access request to the set of permission grantors; receiving approvals in real time or near real-time from the set of permission grantors; and providing the first user access to the requested at least one classified document.
 13. The system of claim 12, wherein the number of separate approvals required for access is based on the classification level of the at least one classified document.
 14. The system of claim 12, wherein the set of possible approvers is based on the key result area (KRA) of the first user.
 15. The system of claim 12, where said means for electronically communicating with said computer network is through high-bandwidth mobile devices operated by the permission grantors.
 16. The system of claim 12, further comprising a user access log and an approval log, which are stored at a geographically remote and separate location from the computer network.
 17. The system of claim 16, further wherein unexpected or anomalous incidents, discrepancies in the user access and approval logs, and instances where the first user also is an approver, are identified and reviewed.
 18. The system of claim 12, wherein generating a set of possible approvers further comprises automatic implementation of an organizational security policy for classified document access.
 19. The system of claim 12, wherein the set of permission grantors for the first user's access request is non-repetitive.
 20. The system of claim 12, wherein the set of permission grantors for the first user's access request is not known to the first user. 